-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathdocker.cli.txt
2476 lines (2048 loc) · 128 KB
/
docker.cli.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
┏━━━━━━━━━━━━━━━━━━━┓
┃ DOCKER ENGINE ┃
┗━━━━━━━━━━━━━━━━━━━┛
SUMMARY ==> #Container (i.e. OS-level virtualization) technology.
#Abstraction of LXC:
# - isolate filesystem, processes, network, users|groups (each can be relaxed)
# - Linux only (runs on other OS with hardware virtualization)
# - uses OCI
#Client-server architecture, with a REST API
#Use images:
# - filesystem snapshots, with metadata (labels) and environment variables
# - with a layer system:
# - use caching
# - can see history|diff
# - use "storage driver", e.g. union filesystems
# - created through: build|Dockerfile (declarative), commit (imperative), import|load (serialization)
# - can have several names ("tags")
# - application-centric: meant to execute a specific command with|without arguments (microservice)
# - use a registry (e.g. Docker Hub)
# - should use microcontainers, especially: official images with alpine tag, iron/IMAGE, alpine, busybox, scratch
#Containers are instances:
# - can be started|stopped, paused|unpaused
# - can configure automatic restart policy, healthchecks
#Data:
# - can copy files in|out
# - data volumes: break filesystem isolation to provide speed or distributed data
#Networks:
# - isolate with NAT, while still providing internode networking: single-host (bridge, macvlan) or
# multi-host (overlay)
# - can configure IP routing, MAC, IPAM, ports, DNS|hostnames, TLS
#Security:
# - user|group can be isolated, but must configure it
# - server runs as root
# - can configure kernel capabilities, SELinux, Apparmor, Seccomp
#Performance:
# - near native, but must configure it
# - can impose limits: ulimit, CPU, memory, I/O, processes, IPC
#Inspecting:
# - many debugging commands
# - can configure standard streams and signals redirection
# - logging:
# - container's stdout|stderr: can use different drivers (e.g. syslog, AWS, etc.)
# - server events
# - container processes monitoring
PROJECTS ==> #Most of this documentation is "Docker engine"
#Also documented:
# - static analysis of images
DOCKER COMPOSE ==> #Docker compose is partly documented here, partly in its own file
DOCKER CS ENGINE ==> #Like Docker Engine, but with commercial support
#E.g. backport fixes to previous versions, and regular support
DOCKER DATACENTER ==> #CS engine + Universal Control Plane + Docker trusted registry
┌─────────────┐
│ VERSION │
└─────────────┘
VERSION ==> #1.12.3
docker version #Prints current client|server version
-f GOTMP
--format GOTMP #
SYSINFO."Server Version"
NODEINFO.Description.Engine.
EngineVersion #
IMAGEINFO.DockerVersion #The image was created with
┌──────────────────┐
│ INSTALLATION │
└──────────────────┘
OS ==> #Built on top of LXC, so only run on Linux
#However, on Mac or Windows, installation tools create virtual machine
DOCKER MACHINE ==> #Two purposes:
# - old way to install docker engine on Windows or Mac, before "Docker for Windows/Mac". Not really needed.
# - uses VirtualBox
# - SSH + docker engine installer/upgrader/manager for remote hosts. Also install Docker Swarm (not swarm mode)
# - supports most cloud providers
DOCKER TOOLBOX ==> #docker engine + compose + machine + virtualBox + kitematic
#Meant to install docker on old Windows/Mac. Use "docker for Windows/Mac" instead
DOCKER FOR WINDOWS/MAC ==> #Install docker engine, compose and (Windows only) machine, on a Linux virtual machine
# - using Hyper-V (Windows), Hyperkit (Mac)
# - for newer versions only: Windows 10, MacOS 10.10.3
┌──────────────┐
│ NOTATION │
└──────────────┘
ID #Can always be shortened
GOTMP #Go template, taking an OBJ as input.
#Has extra available FUNC:
# - join ARR
# - json VAL
# - lower|upper|title STR
# - split STR "CHAR"
DUR #Go duration strings, i.e. [NUMh][NUMm][NUMs][NUMms][NUMus][NUMns]
┌──────────────────────────┐
│ ISOLATION/NAMESPACES │
└──────────────────────────┘
docker build|create ...
ISOLATION ==> #Provide isolation:
# - filesystem, except for data volumes or related (--device, --tmpfs)
# - processes: PID, process list
# - IPC
# - network: interfaces, hostnames
# - users, groups
--isolation STR #Underlying isolation technology among:
HOSTCONF.Isolation # - process: OCI
# - hyperv: Hyper-V (virtual machines)
# - default or "" (def): "process" on Linux, "hyperv" on Windows
┌────────┐
│ OS │
└────────┘
SYSINFO."Kernel Version" #
SYSINFO."Operating System" #
SYSINFO.OSType
IMAGEINFO.Os
NODEINFO.Description.Platform.OS #E.g. linux
SYSINFO.Architecture
IMAGEINFO.Architecture
NODEINFO.Description.Platform.
Architecture #E.g. x86_64
docker create ...
--sysctl VAR=VAL
HOSTCONF.Sysctls.VAR #Linux kernel options (using sysctl)
┌─────────┐
│ OCI │
└─────────┘
OCI ==> #Docker is built on top of "Open containers", using containerd
dockerd ...
--containerd FILE #Path to containerd socket
--add-runtime NAME=PATH
DOCKERCONF.runtimes.NAME.path #Adds OCI-compatible runtime (like runC)
--default-runtime NAME
DOCKERCONF.default-runtime
SYSINFO."Default runtime" #Picks OCI-compatible runtime (like runC)
--exec-opt VAR=VAL #Options passed to OCI runtime, e.g.
DOCKERCF.runtimes.NAME.runtimeArgs# - native.cgroupdriver systemd or cgroupfs (def)
# - can be seen with SYSINFO."Cgroup driver"
docker create ...
--runtime NAME
SYSINFO.Runtimes
HOSTCONF.Runtime #
┌────────────────┐
│ MAIN FILES │
└────────────────┘
DOCKERDIR #Runtime directory for high-level dockerd with notably:
dockerd ... # - containers/CONTAINER_ID/:
-g DOCKERDIR # - log files
--graph DOCKERDIR # - config, including routing
SYSINFO."Docker Root Dir" # - images/
# - network/
# - volumes/: data volumes
# - swarm/: swarm state
# - tmp/: can choose different dir with ENVVAR DOCKER_TMPDIR
#Def: /var/lib/docker/
RUNDOCKERDIR
--exec-root DIR #Runtime directory for low-level dockerd with notably: containerd, networking
DOCKERPIDFILE #PID of dockerd. Def: /var/run/docker.pid
dockerd ...
-p PIDFILE
--pidfile PIDFILE #
DOCKERHOME #~/.docker/
docker ...
--config=DOCKERHOME [COMMAND] #Overrides
ENVVAR DOCKER_CONFIG #If COMMAND, only overrides for docker COMMAND
DOCKERCONF #Either:
# - docker --config=FILE
# - DOCKERHOME/config.json
┌────────────┐
│ SERVER │
└────────────┘
CLIENT-SERVICE ARCHITECTURE ==> #Client is connected to server (daemon)
#Server can bind to (according to -H):
# - unix:///PATH: Unix socket (def: unix:///var/run/docker.sock)
# - tcp://HOST[:PORT][/PATH]: TCP:
# - def PORT: 2375 if no TLS, 2376 if TLS
# - PATH will be prepended to all requests
# - fd://[NUM]: systemd socket
dockerd|docker|docker-compose ...
-H ...
--host ... #Address server listens to, or client connects to
ENVVAR DOCKER_HOST #Can be used multiple times
DOCKERCONF.HttpHeaders.VAR #HTTP header named VAR, value VAL, to add, i.e. always sent by client to server
SERVER #Theoritically a server has a name (def: "docker") and a SERVER_ID (def: random)
#I do not know how to set it though
SYSINFO.ID #
dockerd #Starts server
#Can change binary path with ENVVAR DOCKERD
#There is support for:
# - SysVInit: e.g. start (once) with: sudo service docker start
# - systemd: e.g. start (at each boot) with: sudo systemctl enable docker
# - upstart
DOCKER_OPTS #Extra flags passed to dockerd
--config-file DOCKERCONF #JSON config file (def: /etc/docker/daemon.json) to pass extra flags to dockerd
#Cannot be in conflict with options passed on the CLI
#Flags that can appear several times use plural name, e.g. --label STR -> "labels" STR_ARR
#Can be reloaded by sending SIGHUP to dockerd:
# - only for --debug, --labels, --live-restore, --max-concurrent-*
/etc/default/docker #File read when using SysVInit or upstart, usually setting ENVVAR
MULTIPLE SERVERS ==> #To run multiple servers on a single host, must be separated from each other using these
#options (documented elsewhere in this doc):
# - --exec-root, --graph, --pidfile: for filesystem
# - --config-file: for config
# - --bridge, --host, --iptables, --tls*: for networks
dockerd ...
--api-cors-header STR #Sets Access-Control-Allow-Origin [S] (def: no CORS enabled), so that client can be on different host than server
COMPOSE_HTTP_TIMEOUT !#Def: 60 (in secs)
┌──────────────┐
│ REST API │
└──────────────┘
ENVVAR DOCKER_API_VERSION
ENVVAR COMPOSE_API_VERSION #To specify which version to use (def: latest)
COMPATIBILITY ==> #400 if client is newer than server
USES ==> #Very similar as CLI commands
#On all entities: container, image, volume, network, plugin, node, swarm, node, service, task
#GET requests have query variables to filter
#Very often, format will be similar to "inspect" CLI commands, e.g. docker volume inspect's output
#See online for more info
ERRORS ==> #OBJ: message STR
┌─────────┐
│ CLI │
└─────────┘
AUTOCOMPLETION ==> #Available for Bash, Fish, ZSH, PowerShell
#Under GitHub source at /contrib/completion/
WHARFEE ==> ##Shell application that adds to Docker CLI:
## - autocompletion
## - syntax highlighting
## - removes need to type "docker"
##Version 0.10
┌──────────────┐
│ BUILDING │
└──────────────┘
IMAGE/CONTAINERS ==> #Are basically a filesystem snapshot|archive (i.e. tree of files), with metadata (e.g. COMMANDs)
#Image|containers are basically the same except:
# - order: container is topmost layer, images all others
# - write operations:
# - when writing to a file, use topmost layer where this file exists:
# - container is read-write, i.e. normal operation
# - images are read-only, copy-on-write: copy the file (applying modification to it) to topmost layer
# (i.e. container)
# - git commit transform container into image
IMAGE #Pulled from registry unless available locally
#Is either:
# - IMAGE_ID:
# - SHA256 content hash
# - [HOST/][REPO_USER/]IMAGE_NAME[:TAG][@sha256:HASH]:
# - def HOST: registry-1.docker.io
# - REPO_USER (if push|pull, def: docker): see Registry
# - IMAGE_NAME: [[:alnum:]._-]
# - def TAG: latest
# - should always specify precise TAG to avoid unpredictability
# - should use same tags across environments (dev, prod, etc.) and avoid environment-specific tags.
# Use ENVVAR instead
# - HASH: content hash
DL3006|3007 ##Do not use IMAGE or IMAGE:latest, but use IMAGE:TAG, because "latest" adds unpredictability
docker commit CONTAINER [IMAGE] #Creates a new (or copies to an) IMAGE, from an existing CONTAINER
-c COMMAND #Execute Dockerfile command
--change COMMAND #Can only be CMD|ENTRYPOINT|ENV|EXPOSE|LABEL|ONBUILD|USER|VOLUME|WORKDIR
-p false #Do not temporaly pause the CONTAINER (if it's running).
--pause false #Pausing is done to avoid data corruption while docker commit is ongoing
docker build DIR|URI|- #Creates an IMAGE from a DIR with a Dockerfile inside.
docker-compose build [IMAG_NAM...]#URI can be:
# - Dockerfile
# - DIR
# - .tar[.xz|bz2|gz] archive
# - Git repo URI[#TAG|BRANCH|HASH_ID][:SUBPATH]: using git clone --depth 1 --recursive
#"-" is stdin:
# - must be a Dockerfile
# - can be compressed with .tar[.xz|bz2|gz]
#Non-0 exit code if fails
CPSCONF.build
CPSCONF.build.context #DIR|URI. First syntax is short version
-f DOCKERFILE
--file DOCKERFILE
CPSCONF.build.dockerfile #
-q
--quiet #
docker import FILE|URI|- [IMAGE] #Create an IMAGE from a set of files, i.e. directory, archived in a .tar file.
#Prints IMAGE_ID
#FILE|URI|-: like docker build
#If IMAGE, will call docker tag NEW_IMAGE IMAGE
#See also docker export
-c COMMAND
--change COMMAND #Like docker commit
docker load #Create an IMAGE from a serialized IMAGE.tar (created by docker save)
#Input is stdin, or -i|--input FILE.tar
-q
--quiet #
docker rmi IMAGE #Deletes an IMAGE
-f
--force #Deletes even if there are related containers
--no-prune #Do not delete parents without tags
┌────────────────┐
│ DOCKERFILE │
└────────────────┘
DOCKERFILE #Main configuration file, with commands below
#Def: BUILD_DIR/Dockerfile, or docker build -f DOCKERFILE
#Can concatenate several Dockerfiles into one
# COMMENT #
# escape=CHAR #Changes escape character (def: \)
#Can use escaped newlines, and should use them to sort long list alphabetically (e.g. packages)
#Must be at top of file, before any instruction, comment or blank line
hadolint [DOCKERFILE] ##Dockerfile linter.
##Prints to stdout and use exit code 1 if any error
##Def DOCKERFILE: stdin
##Also available as:
## - Docker image
## - web app
##There is also a parser/AST in Haskell
##List of errors are documented in this doc as DL* (RULECODE)
##Other rules:
## - SC*: various Shell errors, linted with ShellCheck
##Version 1.2.1
--ignore RULECODE ##Most rules make sense, so should not have to ignore any
dockerfile_lint ##Dockerfile linter. Prefer hadolint
┌──────────────────┐
│ IMAGE LAYERS │
└──────────────────┘
BUILD LAYERS ==> #Works in layers:
# - each layer only contains modification from parent
# - container is last layer, read-write
# - images are others, read-only, shared by reference
# - uses "storage drivers" (see below)
#Each Dockerfile instruction (docker build) or commit (docker commit) creates a new layer:
# - intermediate IMAGE are removed at the end
# - each layer creates a new shell
# - e.g. $PWD will be reset, unless set with WORKDIR
# - should limit number of layers, i.e. combine instructions as much as possible
# - max 127 layers
# - prefer Dockerfile over commit, as it is easier to repeat and is more declarative
docker build ...
docker-compose build ...
--rm=false #Do not remove intermediate IMAGE
--force-rm |#Force removing intermediate IMAGE
BUILD CACHE ==> #Each layer + next instruction is cached:
# - by def reused if matched
# - specified in output log "Using cache"
#Invalidates cache:
# - ADD|COPY of new|newer files
# - i.e. should be as late as possible, in order to invalidate fewer cache
# - ARG with different value
#Does not invalidate cache:
# - COMMANDs, even if takes input from some global/changing state
# - e.g. apt-get install without version pinning
# - this can create problem
docker build ...
docker-compose build ...
--no-cache |#
docker history IMAGE #Show all IMAGE layers:
# - IMAGE_ID (might be <missing> if removed, e.g. intermediary)
# - ctime
# - change: Dockerfile instruction, docker commit change, etc.
# - size
# - comment: see --message COMMIT_MESSAGE
--no-trunc #Do not truncate IMAGE_ID nor change
-q
--quiet #Only print IMAGE_ID
-H false
--human false #Do not show human-friendly size
IMAGEINFO.Container #CONTAINER_ID of the container this IMAGE was created from, i.e. container created from parent image
IMAGEINFO.ContainerConfig #CONTAINERINFO.Config of IMAGEINFO.Container
IMAGEINFO.RootFS #List of layers
docker diff CONTAINER #Prints difference between a CONTAINER and its IMAGE, i.e. what would be committed by docker commit
#Prints as A|C|D PATH (add|changed|deleted)
┌──────────────────┐
│ IMAGES DEBUG │
└──────────────────┘
docker images [IMAGE] #Prints images with information (one line per image+tag combination):
# - IMAGE (repository)
# - tag
# - sha256 checksum (if --digests)
# - image ID (truncated unless --no-trunc)
# - ctime
# - size
-a
--all #Prints all (do not hide intermediate images)
-q
--quiet #Only show image ID
--filter VAR=VAL #VAR:
# - dangling BOOL: true means no tag, and not intermediary image
# - label VAR[=VAL]
# - before|since IMAGE: using ctime
--format GOTMP #Input is OBJ:
# - Repository IMAGE
# - Tag
# - Digest
# - ID IMAGE_ID
# - CreatedSince|At
# - Size
#Def is DOCKERCONF.imagesFormat "GOTMP"
SYSINFO.Images #NUM
IMAGEINFO.Id #IMAGE_ID
IMAGEINFO.Config.Image
IMAGEINFO.Parent #IMAGE_ID or "" (if none)
IMAGEINFO.RepoDigests #sha256 checksum
IMAGEINFO.Created #"DATE"
IMAGEINFO.[Virtual]Size #NUM
docker inspect IMAGE... #Prints IMAGEINFO, i.e. debug information, as JSON
-f GOTMP
--format GOTMP #
--type image|container|task #If there is ambiguity
┌──────────┐
│ TAGS │
└──────────┘
docker tag IMAGE IMAGE2 #Make IMAGE2 a link to IMAGE, i.e.:
# - IMAGE_ID IMAGE_NAME: gives a name
# - IMAGE IMAGE:TAG: create tag
# - IMAGE REPO_USER/IMAGE_NAME: associate with a repository
docker build ...
-t IMAGE2
--tag IMAGE2
IMAGEINFO.RepoTags #Performs docker tag IMAGE_ID IMAGE2 after creating IMAGE
CPSCONF.image #Same, but also do docker pull (unless CPSCONF.build exist)
┌────────────────┐
│ BASE IMAGE │
└────────────────┘
MICROCONTAINER ==> #Container image optimized for small size
#Goal:
# - fastest to download, i.e. to deploy
# - more secure: less surface attack
RECOMMENDATION == #Use:
# - scratch: with statically linked binaries
# - busybox: when only basic shell and Unix commands needed
# - official images:
# - for everything else
# - with alpine tag
# - if no alpine tag, use iron/IMAGE
# - alpine: as a base, if no official image nor iron/IMAGE
RUNTIME ==> #A small Linux core is always created runtime:
# - (using tmpfs) /dev/console, /dev/pts, /dev/shm, /proc, /sys
# - minimal /etc: hosts, hostname, resolve.conf, mtab
#Created runtime, so:
# - does not take image space
# - cannot be manipulated at buildtime
scratch #Docker IMAGE with nothing in it (i.e. 0 bytes)
# - no binary, i.e.:
# - no shell, no apt-get, etc.
# - need to use ADD|COPY
# - is actually a no-op (does not create a layer)
#Binaries must be statically linked, or provide dynamic libraries (incuding ld and e.g. libc) to run
BUSYBOX ==> #Single 1-2MB binary providing stripped down version of usual Linux binaries
#Can configure a lot (e.g. removing binaries) compile-time
#Uses musl libc (small libc) but can build with glibc (much bigger, more features) or uclibc (similar to musl)
#instead
busybox #1MB
#Docker IMAGE based on scratch, adding:
# - busybox
# - /dev:
# - std*, tty, ptmx, fd
# - null, zero, random, urandom
# - mqueue, fuse, core
# - /etc: passwd, group, shadow, localtime
# - empty /home, /root, /tmp, /usr/sbin, /var/spool/mail, /var/www
#Can use tags: uclibc or glibc for different C library
#Default CMD: sh
alpine #5MB
#Docker IMAGE based on scratch, adding:
# - fundamental packages:
# - busybox
# - SysVInit
# - APK:
# - small package manager
# - automatically cleans up
# - ld: linker
# - musl libc
# - NSS, SSL: crypto
# - Zlib
# - useful utilities:
# - /etc/fstab: mounting
# - cron
# - sysctl, module-init-tools: kernel-related features
# - basic DCHP configuration
# - logrotate: log utility
# - iconv: charset conversion
# - scanelf: ELF utilities
# - in /etc/, some useful conf files:
# - profile, profile.d/:
# - shell startup files, which set ENVVAR CHARSET, PATH, PAGER, PS1
# - not read by default by Docker though
# - alpine-release, /etc/os-release: OS version
# - issue|motd: terminal welcome message
# - TZ: current timezone
# - protocols|services: URI schemes port numbers
# - securetty: possible terminals to connect to
# - shells: possible shells
# - useful empty dirs: /lib/firmware, /media/cdrom|floppy|usb, /mnt, /run, /srv, /usr/share/man, /usr/share/misc,
# /usr/local/bin|lib|share, /var/cache|lib/misc, /var/empty, /var/local, /var/log, /var|etc/opt, /var/run
# - useful symlinks: many /sbin/*, /usr/bin/*, /usr/sbin/* to /bin/busybox
#Designed to run from RAM
#No default CMD|ENTRYPOINT
iron/IMAGE #Images based on alpine, adding only:
# - ca-certificates
# - what is needed to run the language, e.g.:
# - only "apk add python" for iron/python)
# - 19MB for Node.js (runtime is 11MB, alpine 5MB)
# - no default CMD|ENTRYPOINT
#Possible IMAGEs: elixir, erlang, gcc, go, java, leiningen (clojure), mono, node, perl, php, python, ruby, scala
#Can use IMAGE:dev, bigger images but with dev tools to build the language from source
debian #Official Docker IMAGE, 123MB
buildpack-deps:curl #Official Docker IMAGE, 167MB
#Based on debian image, adds: ca-certificates, curl, wget
buildpack-deps #Official Docker IMAGE, 608MB
#Based on buildpack-deps:curl, adds:
# - bzr, git, mercurial, svn
# - openssh
# - procps: utilities for /proc
# - build tools: automake, autoconf, g++, gcc, make, patch
# - bzip2, xz, zlib
# - file
# - imagemagick
# - libbz2-dev, libc6-dev, libcurl4-openssl-dev, libdb-dev, libevent-dev, libffi-dev, libgdbm-dev, libgeoip-dev,
# libglib2.0-dev, libjpeg-dev, libkrb5-dev, liblzma-dev, libmagickcore-dev, libmagickwand-dev,
# libmysqlclient-dev, libncurses-dev, libpng-dev, libpq-dev, libreadline-dev, libsqlite3-dev, libssl-dev,
# libtool, libwebp-dev, libxml2-dev, libxslt-dev, libyaml-dev,
DOCKER OFFICIAL IMAGES ==> #For libraries/frameworks:
# - based on either debian or buildpack-deps
# - often those tags are present:
# - alpine: base on alpine instead. To prefer when possible
# - slim: base on buildpack-deps:curl
# - onbuild: add ONBUILD instructions, e.g.:
# - copying CONTEXT_DIR to /usr/src/app
# - installing dependencies
# - passing build args as ENVVAR (e.g. NODE_ENV)
# - as oppose to iron/IMAGEs, install more things (bigger images), but related to the library/framework
# - e.g. for node: install npm, add group|user "node", ENVVAR NPM_CONFIG_LOGLEVEL, NODE_VERSION,
# symlink nodejs -> node
#For OS:
# - e.g. ubuntu, centOS
# - is usually the full OS image
┌────────────────────┐
│ CONTAINER CRUD │
└────────────────────┘
CONTAINER #Instance of an image, meant to be run
#Is either:
# - CONTAINER_ID UUID
# - CONTAINER_NAME
docker create IMAGE #Does:
[COMMAND [ARGS...]] # - if does not exist locally, docker pull IMAGE
docker-compose create|run # - creates a container, using IMAGE
[IMAGE_NAME...] # - does not start it yet
#COMMAND: see COMMANDs section
CPSCONF.container_name
--name CONTAINER_NAME |#Def: random
--cidfile FILE
HOSTCONF.ContainerIDFile #Write CONTAINER_ID to FILE
docker rename CONTAINER CONTAINER2#
docker update CONTAINER... #Only few attributes can be changed, documented elsewhere in this file
docker rm CONTAINER
docker-compose rm [IMAGE_NAME...] #Deletes a CONTAINER
-f
--force |#Deletes even if running
docker-gc ##Removes:
## - stopped containers, if exited more than ENVVAR GRACE_PERIOD_SECONDS (def: 3600)
## - images, if nor used by any container, and existed for more than ENVVAR GRACE_PERIOD_SECONDS
## - related volumes
##Available as a Docker image
##Version 0.1.0
ENVVAR STATE_DIR ##Runtime dir (def: /var/lib/docker-gc). Must have read/write permissions
ENVVAR PID_DIR ##Def: /var/run. PID file is PID_DIR/dockergc. Must have read/write permissions
ENVVAR DRY_RUN=1 ##
ENVVAR EXCLUDE_FROM_GC ##Newline-separated file (def: /etc/docker-gc-exclude) of IMAGE_NAME to not remove (can use regex)
ENVVAR EXCLUDE_CONTAINERS_FROM_GC##Same for CONTAINER_NAME (def: /etc/docker-gc-exclude-containers)
ENVVAR EXCLUDE_DEAD=1 ##Do not remove containers with status "dead"
ENVVAR FORCE_IMAGE_REMOVAL=1 ##Even if image has multiple tags
ENVVAR FORCE_CONTAINER_REMOVAL=1 ##Even if removal created an error
ENVVAR LOG_TO_SYSLOG=1 ##
ENVVAR SYSLOG_FACILITY ##Def: user
ENVVAR SYSLOG_LEVEL ##Def: info
ENVVAR SYSLOG_TAG ##Def: docker-gc
ENVVAR DOCKER ##docker command and flags (def: docker)
┌─────────────────────┐
│ CONTAINER DEBUG │
└─────────────────────┘
docker ps #Prints containers with information:
docker-compose ps [IMAGE_NAME...] # - CONTAINER_ID (truncated unless --no-trunc)
# - CONTAINER_NAME
# - IMAGE_NAME
# - IMAGE command
# - ctime
# - status: see above
# - ports forwarding
# - size: only if -s|--size
# - "real size" vs "virtual size": see below
-a
--all #Prints all (not only currently running)
-n [INT]
--last [INT]
-l
--latest #Only prints INT (def: 1) latest ran
-q |#
--quiet #Only show container ID
--format GOTMP #Def is DOCKERCONF.psFormat "GOTMP"
-f VAR=VAL #VAR:
--filter VAR=VAL # - id CONTAINER_ID
# - name CONTAINER_NAME
# - ancestor IMAGE
# - before|since CONTAINER
# - status STR
# - exited NUM
# - label VAR[=VAL]
# - isolation default|process|hyperv
# - volume VOLUME|CONTAINER_DIR
# - network NETWORK
CONTAINERINFO.Id #CONTAINER_ID
CONTAINERINFO.Name #CONTAINER_NAME
CONTAINERINFO|CONTAINERSPEC.Image #IMAGE_NAME
CONTAINERINFO.Created #"DATE"
CONTAINERINFO.HostConfig #HOSTCONF
CONTAINERINFO.SizeRootFs #"Virtual size", i.e. size of all layers
#Only if docker inspect -s|--size
CONTAINERINFO.SizeRw #"Real size", i.e. size of current changes from last image, i.e. what would be added by docker commit
#Only if docker inspect -s|--size
docker inspect CONTAINER... #Prints CONTAINERINFO. Same options as docker inspect IMAGE
CONTAINERINFO #Debug information, as JSON
CONTAINERINFO.Config #Same attributes as IMAGEINFO.Config
-f GOTMP
--format GOTMP #
--type image|container|task #If there is ambiguity
┌─────────────────────┐
│ CONTAINER STATE │
└─────────────────────┘
docker stop|restart CONTAINER... #Send "stop signal" (def: SIGTERM), i.e. graceful stop
docker-compose stop|restart #After a "stop grace period" (def: 10 secs), sends SIGKILL, i.e. force stop
[IMAGE_NAME...] #If restart, runs docker start right after
-t INT
--time INT
docker service start ...
--stop-grace-period INT
CONTAINERSPEC.StopGracePeriod
docker-compose
up|restart|scale|stop ...
-t NUM
--timeout NUM #Stop grace period
docker create ...
--stop-signal SIGNAL_NAME
CPSCONF.stop_signal #"stop signal"
STOPSIGNAL SIG_NAME|NUM #Last is Dockerfile instruction.
docker start CONTAINER...
docker-compose start [IMAG_NAM...]#Runs a stopped CONTAINER
docker kill CONTAINER...
docker-compose kill [IMAGE_NAM...]#Send SIGKILL, i.e. force stop
-s SIGNAL |#
--signal SIGNAL #
docker pause CONTAINER...
docker-compose pause [IMAG_NAM...]#Similar to sending SIGSTOP, i.e. pause (like CTRL-Z), but actually use control groups "freeze" feature
docker unpause CONTAINER...
docker-compose unpause
[IMAGE_NAME...] #Similar to sending SIGCONT, i.e. unpause, but actually use control groups "freeze" feature
CONTAINERINFO.State.Status #Can be:
# - created: after docker create
# - running: after docker start
# - paused: after docker pause
# - restarting: during restarting (see --restart)
# - exited
# - dead: trying to kill|stop, and it failed, so cannot restart
CONTAINERINFO.Running|Paused|
Restarting|OOMKilled|Dead #BOOL
SYSINFO.Containers.
Running|Paused|Stopped #NUM
CONTAINERINFO.State.
StartedAt|FinishedAt #"DATE"
┌──────────┐
│ EXIT │
└──────────┘
docker exec EXIT CODE ==> #Is:
DOCKERINFO.State.ExitCode # - 1: cannot connect to dockerd
DOCKERINFO.State.Error # - 125: dockerd error
# - 126: cannot run COMMAND
# - 127: cannot find COMMAND
# - otherwise: COMMAND exit code
docker wait CONTAINER... #Waits until CONTAINER stops, then prints exit code
docker create|update ...
--restart STR #What happens when container exits:
CPSCONF.restart # - "no" (def): nothing
# - "always": restarts
# - "on-failure[:NUM]": restarts if exit code non-0, with NUM max retries (def: unlim)
# - "unless-stopped": restarts unless explicitely stopped by admin
#Restarts use exponential delay:
# - start at "delay" (def: 100ms)
# - multiply by 2 each time
# - for a maximum of "window" (def: unlim)
#Should not be used if a process manager is used, e.g. systemd, forever or pm2
#Always restart detached (see --detach)
docker service create ...
--restart-condition STR
HOSTCONF.RestartPolicy.Name
TASKIMPIFO.RestartPolicy.Condition#Same with none, any or on-failure
--restart-max-attempts NUM
HOSTCONF.RestartPolicy.
MaximumRetryCount
TASKIMPINFO.RestartPolicy.Attempts#Like NUM above for "on-failure"
--restart-delay NUM
TASKIMPINFO.RestartPolicy.Delay #Like "delay" above
--restart-window NUM
TASKIMPINFO.RestartPolicy.Window #Like "window" above
CONTAINERINFO.RestartCount #NUM
docker run ...
docker compose run ...
--rm |#When exiting, remove:
HOSTCONF.AutoRemove |# - volumes, except if specific VOLUME_NAME was given
|# - container filesystem
|#Pros: clean up space
|#Cons: cannot inspect them after container exit (for debugging)
|#Cannot be used with --detach
dockerd ...
--live-restore #Do not shut down containers if server goes down
#Server must be restarted with same options
#While down, clients will buffer communication to server until limit (def: 64K)
#Not compatible with swarm mode
┌─────────────────┐
│ HEALTHCHECK │
└─────────────────┘
HEALTHCHECK [--OPT] CMD COMMAND #First is Dockerfile instruction.
#Adds a "health status" to a CONTAINER, in addition to its running status:
# - checked by COMMAND at regular intervals
# - COMMAND exit code must be 0 (success) or 1 (failure)
# - COMMAND stdout|stderr will be kept in logs
#Can be inspected with:
# - docker inspect, ps, etc.: see below
# - health_status event (with "docker events")
#Used by:
# - swarm (to maintain number of replicas)
#Only last HEALTHCHECK will be used
--interval DUR #Def: 30s
--timeout DUR #Def: 30s
--retries NUM #Def: 3
docker create ...
--health-cmd CMD
IMAGEINFO.Config.Healthcheck.Test
--health-interval DUR
IMAGIF.Config.Healthcheck.Interval
--health-timeout DUR
IMAGINF.Config.Healthcheck.Timeout
--health-retries NUM
IMAGINF.Config.Healthcheck.Retries#
HEALTHCHECK NONE
docker create ...
--no-healtcheck #
CONTAINERINFO.State.Health.Status #"healthy" or "unhealthy"
CONTAINERINFO.State.Health.
FailingStreak #NUM
CONTAINERINFO.State.Health.Log #OBJ_ARR: Start|End "DATE", ExitCode NUM, Output STR
dockerd ...
--cluster-opts
discovery.heartbeat=NUM
docker swarm init ... #Frequency of healthchecks to nodes, in overlay network
--dispatcher-heartbeat DUR #In secs, def: 20
--cluster-opts discovery.ttl=NUM #How long before a node is considered unhealthy by healthcheck, in overlay network
#In secs, def: 60
┌──────────────┐
│ COMMANDS │
└──────────────┘
COMMAND #Means a CLI command, either:
# - same syntax as in a CLI
# - spawned in a subprocess
# - shell specified with SHELL ["COMMAND",...]
# - def: ["/bin/sh", "-c"]
# - run in background
# - not terminated when parent is (e.g. with docker stop)
# - parent signals not propagated
# - can use trailing backslashes for multiline
# - preferred for RUN
# - as JSON array ["STR",...]
# - run in same process
# - no shell
# - preferred for CMD|ENTRYPOINT
DL4005 ##Use SHELL when needed
CHAINING ==> #Since each command creates a new layer, should chain commands, e.g.:
# - RUN printf a > a \n RUN rm a: first layer is 1 byte, second 0 bytes
# - RUN printf a > a && rm a: only one layer, 0 bytes
#Exit code is of the last command
# - i.e. should use && instead of ;
PACKAGE INSTALLATION ==> #Containers are always unprivileged:
# - can do apt-get install -y
# - but apt-get upgrade will fail on some core packages
#How to install packages:
# apt-get update &&
# apt-get install -y --no-install-recommends PACKAGE=VERSION && (version pinning to avoid unpredictability)
# apt-get clean && rm -rf /var/lib/apt/lists/* (remove apt-get update footprint, so it does not take up space)
DL3005 ##Avoid apt-get upgrade or dist-upgrade
DL3014 ##Use apt-get install -y
DL3015 ##Use apt-get install --no-install-recommends
DL3008|3013 ##Use apt-get|pip install PACKAGE=VERSION, not PACKAGE
DL3009 ##Use apt-get clean && rm -rf /var/lib/apt/lists/*
RUN COMMAND #Dockerfile instruction. Run command, compile-time
#If COMMAND exit code !== 0, stop build
DL3001 ##Avoid COMMAND which do no make sense in a container, e.g. interactive or host-controlling (shutdown, ps, kill, etc.)
DL4001 ##Either use wget or curl, but not both
CMD COMMAND
CPSCONF.command COMMAND #Dockerfile instruction.
IMAGEINFO.Config.Cmd #Run command, runtime.
CONTAINERINFO.Path #Sets default command + args
CONTAINERSPEC.Command #Only last CMD will be used.
CONTAINERINFO|CONTAINERSPEC.Args #At least one CMD or ENTRYPOINT required per Dockerfile
DL4003 ##Do not define multiple CMD
ENTRYPOINT COMMAND #Dockerfile instruction.
docker create ... #If COMMAND uses:
docker compose run ... # - CLI syntax: like CMD
--entrypoint COMMAND # - JSON array syntax:
CPSCONF.entrypoint # - sets default command, that can take args
IMAGEINFO.Config.Entrypoint # - CMD now sets default args (not default command), and must use JSON array syntax
#Only last ENTRYPOINT will be used.
#At least one CMD or ENTRYPOINT required per Dockerfile
DL4004 ##Do not define multiple ENTRYPOINT
docker create IMAGE [...] #If IMAGE:
# - can take args (i.e. uses ENTRYPOINT [+ CMD]):
# - runs default command
# - ... are extra arguments (def: CMD)
# - otherwise (i.e. uses only CMD):
# - ... is command + arguments (def: CMD)
docker run IMAGE [...] #Does:
docker-compose run IMAGE_NAME # - docker create -a stdout -a stderr IMAGE ...
[COMMAND [ARGS...]] # - docker start CONTAINER
#Shares all options from docker create+exec, plus few extra, specified in this doc.
docker exec CONTAINER COMMAND
[ARGS...]
docker-compose exec IMAGE_NAME #Run COMMAND [ARGS...] from within the container
COMMAND [ARGS...] #CONTAINER must be running
CONTAINERINFO.ExecIDs #Linux kernel syscall "exec" IDs
┌──────────────────────┐
│ STANDARD STREAMS │
└──────────────────────┘
docker create ...
-a stdin|stdout|stderr #Redirects COMMAND's standard streams to|from current process|terminal
--attach stdin|stdout|stderr #Can be done several time.
IMAGEINFO.Config. #Def:
AttachStdin|Stdout|Stderr # - docker exec: stdin+stdout+stderr